Merge pull request #5133 from matrix-org/rav/systemrandom

Use SystemRandom for token generation.
2024-10-01 08:25:44 -04:00 · 2019-05-03 15:39:30 +01:00 · 2019-05-03 15:39:30 +01:00 · 1acfb9e9f0
commit 1acfb9e9f0
parent 35442efb75 60c3635f05
2 changed files with 8 additions and 2 deletions
--- a/changelog.d/5133.bugfix
+++ b/changelog.d/5133.bugfix
@ -0,0 +1 @@
+Switch to using a cryptographically-secure random number generator for token strings, ensuring they cannot be predicted by an attacker. Thanks to @opnsec for identifying and responsibly disclosing this issue!
--- a/synapse/util/stringutils.py
+++ b/synapse/util/stringutils.py
@ -24,14 +24,19 @@ _string_with_symbols = (
    string.digits + string.ascii_letters + ".,;:^&*-_+=#~@"
 )

+# random_string and random_string_with_symbols are used for a range of things,
+# some cryptographically important, some less so. We use SystemRandom to make sure
+# we get cryptographically-secure randoms.
+rand = random.SystemRandom()
+

 def random_string(length):
-    return ''.join(random.choice(string.ascii_letters) for _ in range(length))
+    return ''.join(rand.choice(string.ascii_letters) for _ in range(length))


 def random_string_with_symbols(length):
    return ''.join(
-        random.choice(_string_with_symbols) for _ in range(length)
+        rand.choice(_string_with_symbols) for _ in range(length)
    )
				`@ -0,0 +1 @@`
				`Switch to using a cryptographically-secure random number generator for token strings, ensuring they cannot be predicted by an attacker. Thanks to @opnsec for identifying and responsibly disclosing this issue!`